NAI Mobile Application Code

Transcription

1 2015 UPDATE TO THE NAI Mobile Application Code June 2017

2 INTRODUCTION The 2015 The NAI may publish from time to time additional guidance documents related to requirements in the App Code. update to the NAI Mobile Application Code (App Code) governs NAI members Cross-App Advertising and Ad Delivery and Reporting activities as defined herein. This code does not govern members activities insofar as they act as first parties or as service providers who collect and use data solely on behalf of a single first party. To the extent members collect data on mobile devices across websites owned or operated by different entities, that activity will be governed by the NAI Code of Conduct (Code). 1 Although different member activities may be covered by both the Code of Conduct and the App Code, the NAI believes that the mobile and desktop ecosystems are rapidly converging. It is the NAI s intention to keep the high-level principles of notice, choice, and transparency consistent between its codes with the goal of merging them together as the mobile ecosystem matures. The NAI recognizes that the mobile advertising ecosystem is rapidly developing new technologies and business models to take advantage of the unique opportunities afforded by mobile devices. 2 As a result, the NAI acknowledges that defining an effective App Code may require, at least initially, regular iterations, with full notice and participation by stakeholders. Accordingly, this 2015 update to the Mobile Application Code further takes into account feedback from NAI member companies and others in the mobile advertising ecosystem, regarding the practical implementation of certain provisions of the original NAI Mobile Application Code published in This update also seeks to harmonize the App Code with the 2015 Update to the NAI Code of Conduct. The NAI may publish from time to time additional guidance documents related to requirements in the App Code. The App Code includes both code provisions and commentary. The purpose of the commentary sections in this App Code is not to add substantive obligations on members or to alter the principles set forth in the App Code itself. Instead, the commentary explains the intent behind certain provisions of the App Code and provides non-binding illustrative guidance on methods through which members can meet the substantive obligations herein. The App Code s requirements inform both consumers and businesses that NAI members implement, honor and maintain high standards for data collection for Cross-App Advertising increasing trust across the entire ecosystem. The App Code is a self-regulatory code. The NAI recognizes that the application of the App Code may involve subjective judgments and that technical, operational and policy questions may affect such judgments. For that reason it is the intent that the NAI, as a self-regulatory body, is the final arbiter of how the App Code applies to its members practices in any given instance. Only the NAI staff is authorized to interpret the requirements of the App Code and to evaluate compliance with and enforce violations of the App Code. If NAI staff determines that there is an instance of non-compliance with the App Code by a member, and if a member refuses to implement the recommended steps to bring its practices into compliance, the NAI enforcement procedures allow NAI to refer the matter to the Federal Trade Commission (FTC). In making such a referral, NAI does not ask the FTC to interpret the App Code, but simply to address the member s failure to comply with the NAI s interpretation and application of the App Code. 1 The 2015 Update to the NAI Code of Conduct is available at Code15encr.pdf. When necessary, mobile-specific implementation guidance may be provided as a supplement to the 2015 Update to the NAI Code of Conduct. 2 This App Code covers the collection and use of data across applications on mobile devices. While the NAI recognizes that apps will expand their reach and use across the ecosystem to devices such as TV s, game consoles and wearables, the App Code does not extend to those environments. 1

3 2015 UPDATE TO THE NAI Mobile Application Code 2015 UPDATE TO THE NAI MOBILE APPLICATION CODE I. Definitions A. CROSS-APP ADVERTISING Cross-App Advertising means the collection of data through applications owned or operated by different entities on a particular device for the purpose of delivering advertising based on preferences or interests known or inferred from the data collected. Commentary: Cross-App Advertising does not include the collection or use, for advertising purposes, of De-Identified Data. Cross-App Advertising also does not include contextual advertising, in which the ad selected depends upon the content of the application in which it is served. Cross-App Advertising does not include first party marketing, in which first parties customize content or suggest products based upon the content of the application(s) or users activity in their application(s) (including the content they view or the searches they perform), so long as the application provider is also the content provider. To the extent NAI members engage in such activities, those activities fall outside of the scope of this App Code. B. AD DELIVERY AND REPORTING Ad Delivery and Reporting is separate and distinct from Cross-App Advertising and means the collection of information from a device for the purpose of delivering ads or providing advertisingrelated services, including but not limited to: providing a specific advertisement based on a particular type of device or time of day; statistical reporting regarding the activity in an application; analytics and analysis; optimization of ad location and placement; ad performance; reach and frequency metrics (e.g., frequency capping); security and fraud prevention; billing; and logging the number and type of ads served on a particular day to a particular application or device. C. RETARGETING Retargeting is the practice of collecting data about a user s activity in one application for the purpose of delivering an advertisement based on that data in a different, unaffiliated application. Although it is a separate and distinct practice from Cross-App Advertising, unless specified otherwise, requirements and obligations set forth under the App Code for Cross-App Advertising apply equally to Retargeting. D. PERSONALLY IDENTIFIABLE INFORMATION (PII) Personally Identifiable Information (PII) is any information used or intended to be used to identify a particular individual, including name, address, telephone number, address, financial account number, and government-issued identifier. E. NON-PII Non-PII is data that is linked or reasonably linkable to a particular device. Non-PII includes, but is not limited to, unique identifiers associated with users devices, such as device or advertising identifiers and IP addresses, where such identifiers or IP addresses are not linked to PII. Non-PII does not include De-Identified Data. 2

4 F. DE-IDENTIFIED DATA De-Identified Data is data that is not linked or reasonably linkable to an individual or to a particular device. G. PRECISE LOCATION DATA Precise Location Data is information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of an individual or device, such as GPS level latitude-longitude coordinates or location based Wi-Fi triangulation. Commentary: The definition of Precise Location Data does not include location data that has been altered, or will be altered, upon its provision for use in Cross-App Advertising, so that a member is unable to determine with reasonable specificity the actual physical location of an individual or device. 3 Precise Location Data does not include information that does not necessarily reflect the actual location of a device such as the user s speed and direction of travel, or a user-submitted check-in. H. SENSITIVE DATA Sensitive Data includes: Social Security Numbers or other government-issued identifiers; Insurance plan numbers; Financial account numbers; Information about any past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history based on, obtained or derived from pharmaceutical prescriptions or medical records, or similar health or medical sources that provide actual knowledge of a condition or treatment (the source is sensitive); Information, including inferences, about sensitive health or medical conditions or treatments, including, but not limited to, all types of cancer, mental health-related conditions, and sexuallytransmitted diseases (the condition or treatment is sensitive regardless of the source); and Sexual Orientation. I. PERSONAL DIRECTORY DATA Personal Directory Data is calendar, address book, phone/text log, or photo/video file data (including any associated metadata), or similar data created by a user that is stored on or accessed through a device. J. OPT-IN CONSENT Opt-In Consent means that an individual takes some affirmative action that manifests the intent to opt in. 3 The analysis performed by NAI and its member companies to determine whether location data is imprecise, is discussed more thoroughly in Guidance for NAI Members: Determining Whether Location is Imprecise, available at default/files/nai_impreciselocation.pdf 3

5 2015 UPDATE TO THE NAI Mobile Application Code K. OPT-OUT MECHANISM Opt-Out Mechanism is an easy-to-use mechanism by which individuals may exercise choice to disallow Cross-App Advertising with respect to a particular device. Commentary: An industry-standard mechanism for expressing choice regarding Cross-App Advertising has not yet been established. In lieu of this mechanism, members should maintain, or describe how to access, an opt-out mechanism that is (1) user-friendly and (2) appropriately durable given the nature, characteristics and use of Cross-App Advertising technology. These standards will evolve as technologies allow users to express choice. Platform-provided choice mechanisms that satisfy the above requirements are sufficient to meet the definition of Opt-Out Mechanism. For example, the Limit Ad Tracking feature found on some mobile devices can qualify as an Opt-Out Mechanism if a member uses it to honor a user s choice to disallow Cross-App Advertising. The obligations under the App Code are independent of any obligations required by a platform to use its provided choice mechanism. 4

6 II. Member Requirements A. EDUCATION 1. Members shall collectively maintain an NAI website to serve as a centralized portal offering education about Cross-App Advertising, the requirements of the App Code, and information about user choice mechanisms. 2. Members should use reasonable efforts to educate individuals about Cross-App Advertising and the choices available to them with respect to Cross-App Advertising. B. TRANSPARENCY AND NOTICE 1. Website Notice: Each member company shall provide clear, meaningful, and prominent notice on its website that describes its data collection, transfer, and use practices for Cross-App Advertising and/or Ad Delivery and Reporting. Such notice shall include the following, as applicable: a. A general description of the following as applicable: i. Cross-App Advertising and/or Ad Delivery and Reporting activities undertaken by the member company; ii. The types of data collected or used for Cross-App Advertising and/or Ad Delivery and Reporting purposes including PII, Precise Location Data and Personal Directory Data; iii. How such data will be used, including transfer, if any, to a third party; iv. The technologies used by the member company for Cross-App Advertising and Ad Delivery and Reporting; v. The approximate length of time that data used for Cross-App Advertising or Ad Delivery and Reporting purposes will be retained by the member company; b. A statement that the company is a member of the NAI and adheres to the App Code; and, c. A conspicuous link to or a description of how to access an Opt-Out Mechanism for Cross- App Advertising. 2. Standard Health Segments: Members that use standard interest segments for Cross-App Advertising that are based on health-related information or interests shall disclose such segments on their websites. 3. App Store Notice: Members shall take steps to require those applications with which they have a contract and engage in Cross-App Advertising to clearly and conspicuously post notice, or a link to notice, in any store or on any website where the application may be acquired, when and where it is technically possible. Such notice shall contain: a. A statement of the fact that data may be collected for Cross-App Advertising; b. A description of the types of data, including any PII, Precise Location Data, or Personal Directory Data, that are collected for Cross-App Advertising; c. An explanation of the purposes for which the data is collected by, or will be transferred to, third parties; and 5

7 2015 UPDATE TO THE NAI Mobile Application Code d. A conspicuous link to, or description of how to access, an Opt-Out Mechanism for Cross- App Advertising. Commentary: This provision of the App Code is intended to help ensure, to the extent practicable, that users are provided notice of Cross-App Advertising prior to acquiring an application, recognizing that NAI members generally are unable to provide such notice themselves, because they do not control the application or the app store. 4. As part of members overall efforts to promote transparency in the marketplace, members should make reasonable efforts to confirm that applications where the member collects data for Cross-App Advertising furnish notices comparable to those described in II.B.3 above. Commentary: As one recommended approach members may, for example, regularly check a reasonably-sized subset of the applications where they collect data for Cross-App Advertising to confirm that appropriate notice is being provided on the website(s) and/or in the app store(s) where the application may be acquired. 5. Enhanced Notice: Members shall provide, or support the provision of, notice of Cross-App Advertising data, including any PII, collection and use practices and the choices available to users in or around advertisements that are informed by such data. 4 If notice cannot be provided in or around such advertisements, members should take steps to arrange for the application provider serving the advertisement to provide notice within the application: a. As part of the process of downloading an application to a device, at the time the application is launched for the first time, or when the data is accessed; and, b. In the application s settings and/or privacy policy. C. USER CONTROL Commentary: The NAI recognizes that it may be impractical to deliver enhanced notice in or around an advertisement on some devices. In such cases, members should take steps to arrange for the application provider serving the advertisement to provide notice within the application as part of the download process, when the application is first launched, or when the data is accessed, in addition to the notice in an application s settings screen and/or privacy policy. 1. The level of choice that members must provide is commensurate with the sensitivity and intended use of the data. Specifically: a. Use of Non-PII for Cross-App Advertising purposes shall require access to an Opt-Out Mechanism. b. Use of PII to be merged with Non-PII on a going-forward basis for Cross-App Advertising purposes (prospective merger) shall require access to an Opt-Out Mechanism accompanied by robust notice of such choice. Commentary: To be considered robust under this provision, the notice must be provided immediately above or below the mechanism used to authorize the submission of any PII. 4 The enhanced notice requirements of Section II.B.5 are separate and distinct from the application store notice provisions of Sections II.B.3 and II.B.4. Section II.B.5 requires that some form of enhanced notice be provided within the application, whereas sections II.B.3 and II.B.4 concern notice within the store where an application is acquired as well as on the application provider s website. 6

8 c. Use of PII to be merged with previously collected Non-PII for Cross-App Advertising purposes (retrospective merger) shall require a user s Opt-In Consent. d. Use of Precise Location Data for Cross-App Advertising purposes shall require a user s Opt-In Consent. Commentary: A member must obtain Opt-In Consent for the use of Precise Location Data for Cross-App Advertising if it determines that the location data it is collecting for Cross-App Advertising purposes is precise as defined in the App Code and any additional NAI guidance. 5 A platform-provided consent mechanism may be sufficient to obtain Opt-In Consent, so long as the user is prominently notified that 1) the user s Precise Location Data may be shared with third parties and 2) the purposes for which such data may be used, including Cross-App Advertising. The NAI recognizes that at this time, it may not be possible to include the aforementioned notice in all platform-provided consent mechanisms, and accordingly, the NAI may issue additional guidance to clarify additional methods that member companies may employ to fulfill the requirement for Opt-In Consent when using Precise Location Data for Cross-App Advertising. Consistent with the scope of Cross-App Advertising, the App Code requirement of Opt-In Consent for the use of Precise Location Data does not apply to Ad Delivery and Reporting, or when a member company does not store or otherwise save the Precise Location Data in association with a particular individual or device after serving or delivering an advertisement in real-time. For additional guidance on this topic, please refer to the 2015 Update to the NAI Code of Conduct and accompanying commentary. e. Use of Sensitive Data for Cross-App Advertising purposes shall require a user s Opt-In Consent. Commentary: Because it can be difficult to draw bright lines between sensitive and non-sensitive health and medical conditions, the NAI requires members to consider a number of factors when determining whether a particular condition is sensitive. These factors include: the seriousness of the condition, how precisely the condition is defined, its prevalence, whether it is something an average person would consider to be particularly private in nature, whether it is treated by over-the-counter or prescription medications, and whether it can be treated by modifications in lifestyle as opposed to medical intervention. For additional guidance on this topic, please refer to the 2015 Update to the NAI Code of Conduct and accompanying commentary. f. Use of Personal Directory Data for Cross-App Advertising purposes shall require a user s Opt-In Consent. Commentary: Modern devices provide access to new forms of data that were not available through conventional Web browsers. This data can be used to recognize individuals or to assemble a history of location data. As a result, greater degrees of notice and choice are required by the App Code. 5 Guidance for NAI Members: Determining Whether Location is Imprecise, supra note 3. 7

9 2015 UPDATE TO THE NAI Mobile Application Code 2. When a user opts out of Cross-App Advertising from a particular member or members, those member companies must honor the user s choice as to the particular device. Member companies may continue to collect data for other purposes, including Ad Delivery and Reporting. However, any data collected by a member company while a device is opted out may not be used for Cross-App Advertising purposes, regardless of the future opt-out status of the device and regardless of the technology or technologies used for Cross-App Advertising by the member company, absent Opt-In Consent. Commentary: Members may continue to collect and use data for purposes other than Cross-App Advertising following a user s opt-out. Any user data collected while the user is opted out of Cross-App Advertising shall not be used for Cross-App Advertising. Such-collected data remains opted out of Cross-App Advertising regardless of the technologies used to collect the data and regardless of the user s future opt-out status. The NAI works with all members during the membership application and annual review processes to ensure that their opt outs, at minimum, stop the collection of data for Cross-App Advertising. Certain practices, such as the provisioning of offline data for use in Cross-App Advertising, are not directly covered by the App Code. Some member companies have committed to applying NAI principles to these practices in order to further promote consumer privacy. NAI will enforce the relevant App Code provisions on such members. NAI will apply any future updates to the App Code that cover provisioning of offline data for use in targeted advertising to all NAI members. 3. The technologies that members use for Cross-App Advertising purposes must provide users with an appropriate degree of transparency and control. Commentary: The App Code is intended to be technology-neutral, imposing obligations on members regardless of the technologies they use for Cross-App Advertising and Ad Delivery and Reporting. At the same time, the NAI believes that the technologies that members use for Cross-App Advertising should provide users an appropriate degree of transparency and control. The use of immature technologies for Cross-App Advertising will be evaluated on a case-by-case basis. The NAI also recognizes that some technologies used for Cross-App Advertising may not provide adequate transparency for the NAI compliance staff to conduct independent technical monitoring of members adherence to the App Code. In these circumstances, members may be required to implement tools and/or policies that allow NAI staff to perform this necessary compliance function. D. USE LIMITATIONS 1. Member companies shall not create Cross-App Advertising segments specifically targeting children under 13 without obtaining verifiable parental consent. 2. Members shall not use, or allow the use of, Cross-App Advertising or Ad Delivery and Reporting data for any of the following purposes: a. Employment Eligibility; b. Credit Eligibility; c. Health Care Eligibility; or d. Insurance Eligibility and Underwriting and Pricing. 8

10 3. Members who make a material change to their policies and practices around Cross-App Advertising shall obtain Opt-In Consent before applying such change to data collected prior to the change. In the absence of Opt-In Consent, data collected prior to the material change in policy shall continue to be governed by the policy in effect at the time the information was collected. E. TRANSFER RESTRICTIONS 1. Members shall contractually require that any unaffiliated parties to which they provide PII for Cross-App Advertising or Ad Delivery and Reporting adhere to the provisions of this App Code concerning PII. 2. Members shall contractually require that all parties to whom they provide Non-PII collected across applications owned or operated by different entities not attempt, for Cross-App Advertising purposes, to merge such Non-PII with PII held by the receiving party or to re-identify the individual for Cross-App Advertising purposes without obtaining the individual s Opt-In Consent. This requirement does not apply where the Non-PII is proprietary data of the receiving party. F. DATA ACCESS, QUALITY, SECURITY, AND RETENTION 1. Members shall provide users with reasonable access to PII, and other information that is associated with PII, retained by the member for Cross-App Advertising purposes. 2. Members shall conduct appropriate due diligence to help ensure that they obtain data used for Cross-App Advertising from reliable sources that provide users with appropriate levels of notice and choice. 3. Members that collect, transfer, or store data collected for use in Cross-App Advertising and/or Ad Delivery and Reporting shall provide reasonable security for that data. Commentary: Members are required to attest in writing that they have reasonable and appropriate procedures in place to secure their data as required by the App Code. NAI staff does not conduct security audits of member companies or otherwise review the data security practices of members. NAI staff does not opine on or otherwise advise members on specific data security measures, as what is reasonable and appropriate depends on the members business models. Because business models vary from member to member, member companies, not NAI staff, are in the better position to determine what is appropriate under a given set of circumstances. 4. Members engaged in Cross-App Advertising and/or Ad Delivery and Reporting shall retain Non-PII and PII collected for these activities only as long as necessary to fulfill a legitimate business need, or as required by law. 9

11 2015 UPDATE TO THE NAI Mobile Application Code III. Accountability A. MEMBER OBLIGATIONS 1. The App Code is self-regulatory in nature and is binding on all members of the NAI. 2. To help ensure compliance with this App Code, each member should designate at least one individual with responsibility for managing their compliance with the code and providing training to relevant staff within the company. 3. NAI membership requires public representations that a member adheres to the App Code as it applies to its business model, as supplemented by applicable implementation guidelines that shall be adopted by the NAI Board from time to time. Such representations involve explicit acknowledgement of NAI membership and adherence to the App Code in a member s publicly available privacy policy, and inclusion in a membership listing of participating NAI companies on a designated page of the NAI website. B. NAI OVERSIGHT 1. Members are required to annually undergo reviews of their compliance with the App Code by NAI compliance staff or other NAI designees. Members shall fully cooperate with NAI compliance staff or NAI designees, including in the course of annual compliance reviews and any investigation of a potential violation of the App Code. 2. The NAI s policies and procedures for annual compliance reviews and compliance investigations may be updated from time to time. These policies and procedures shall not only describe the process undertaken for a compliance review, but shall also articulate the penalties that could be imposed for a finding of non-compliance, including referral of the matter to the U.S. Federal Trade Commission. These policies and procedures, including any updates or revisions, shall be made available on the NAI website. 3. The NAI shall annually post on its website a report summarizing the compliance of its members with the App Code and NAI policies, including any enforcement actions taken and a summary of complaints received. C. USER COMPLAINTS 1. The NAI website shall include a centralized mechanism to receive an individual s questions or complaints relating to members compliance with the App Code. 2. Each member shall provide a mechanism by which individuals can submit questions or concerns about the company s collection and use of data for Cross-App Advertising purposes, and shall make reasonable efforts to timely respond to and resolve questions and concerns that implicate the member company s compliance with the App Code and NAI policies. Commentary: Members may utilize the same mechanism they have in place for questions and concerns regarding Interest-Based Advertising (as defined by the Code) or may create and use a separate mechanism specifically for questions and concerns regarding Cross-App Advertising. 10

12